1
00:00:00,588 --> 00:00:03,619
I'm a computer science professor,

2
00:00:03,619 --> 00:00:05,932
and my area of expertise is

3
00:00:05,932 --> 00:00:08,131
computer and information security.

4
00:00:08,131 --> 00:00:10,451
When I was in graduate school,

5
00:00:10,451 --> 00:00:13,052
I had the opportunity to overhear my grandmother

6
00:00:13,052 --> 00:00:17,186
describing to one of her fellow senior citizens

7
00:00:17,186 --> 00:00:19,555
what I did for a living.

8
00:00:19,555 --> 00:00:23,117
Apparently, I was in charge of making sure that

9
00:00:23,117 --> 00:00:27,017
no one stole the computers from the university. (Laughter)

10
00:00:27,017 --> 00:00:29,761
And, you know, that's a perfectly reasonable thing

11
00:00:29,761 --> 00:00:31,681
for her to think, because I told her I was working

12
00:00:31,681 --> 00:00:33,188
in computer security,

13
00:00:33,188 --> 00:00:36,785
and it was interesting to get her perspective.

14
00:00:36,785 --> 00:00:39,402
But that's not the most ridiculous thing I've ever heard

15
00:00:39,402 --> 00:00:41,419
anyone say about my work.

16
00:00:41,419 --> 00:00:43,703
The most ridiculous thing I ever heard is,

17
00:00:43,703 --> 00:00:46,837
I was at a dinner party, and a woman heard

18
00:00:46,837 --> 00:00:48,620
that I work in computer security,

19
00:00:48,620 --> 00:00:52,137
and she asked me if -- she said her computer had been

20
00:00:52,137 --> 00:00:55,573
infected by a virus, and she was very concerned that she

21
00:00:55,573 --> 00:00:59,524
might get sick from it, that she could get this virus. (Laughter)

22
00:00:59,524 --> 00:01:02,467
And I'm not a doctor, but I reassured her

23
00:01:02,467 --> 00:01:05,611
that it was very, very unlikely that this would happen,

24
00:01:05,611 --> 00:01:08,412
but if she felt more comfortable, she could be free to use

25
00:01:08,412 --> 00:01:10,260
latex gloves when she was on the computer,

26
00:01:10,260 --> 00:01:13,652
and there would be no harm whatsoever in that.

27
00:01:13,652 --> 00:01:16,159
I'm going to get back to this notion of being able to get

28
00:01:16,159 --> 00:01:19,667
a virus from your computer, in a serious way.

29
00:01:19,667 --> 00:01:21,307
What I'm going to talk to you about today

30
00:01:21,307 --> 00:01:26,153
are some hacks, some real world cyberattacks that people

31
00:01:26,153 --> 00:01:28,707
in my community, the academic research community,

32
00:01:28,707 --> 00:01:31,501
have performed, which I don't think

33
00:01:31,501 --> 00:01:32,709
most people know about,

34
00:01:32,709 --> 00:01:35,737
and I think they're very interesting and scary,

35
00:01:35,737 --> 00:01:38,178
and this talk is kind of a greatest hits

36
00:01:38,178 --> 00:01:41,169
of the academic security community's hacks.

37
00:01:41,169 --> 00:01:43,156
None of the work is my work. It's all work

38
00:01:43,156 --> 00:01:45,330
that my colleagues have done, and I actually asked them

39
00:01:45,330 --> 00:01:47,887
for their slides and incorporated them into this talk.

40
00:01:47,887 --> 00:01:49,629
So the first one I'm going to talk about

41
00:01:49,629 --> 00:01:52,303
are implanted medical devices.

42
00:01:52,303 --> 00:01:55,343
Now medical devices have come a long way technologically.

43
00:01:55,343 --> 00:01:59,199
You can see in 1926 the first pacemaker was invented.

44
00:01:59,199 --> 00:02:02,751
1960, the first internal pacemaker was implanted,

45
00:02:02,751 --> 00:02:05,303
hopefully a little smaller than that one that you see there,

46
00:02:05,303 --> 00:02:08,271
and the technology has continued to move forward.

47
00:02:08,271 --> 00:02:12,904
In 2006, we hit an important milestone from the perspective

48
00:02:12,904 --> 00:02:16,071
of computer security.

49
00:02:16,071 --> 00:02:17,412
And why do I say that?

50
00:02:17,412 --> 00:02:20,302
Because that's when implanted devices inside of people

51
00:02:20,302 --> 00:02:23,047
started to have networking capabilities.

52
00:02:23,047 --> 00:02:24,927
One thing that brings us close to home is we look

53
00:02:24,927 --> 00:02:27,632
at Dick Cheney's device, he had a device that

54
00:02:27,632 --> 00:02:31,501
pumped blood from an aorta to another part of the heart,

55
00:02:31,501 --> 00:02:32,684
and as you can see at the bottom there,

56
00:02:32,684 --> 00:02:35,693
it was controlled by a computer controller,

57
00:02:35,693 --> 00:02:38,210
and if you ever thought that software liability

58
00:02:38,210 --> 00:02:41,799
was very important, get one of these inside of you.

59
00:02:41,799 --> 00:02:45,494
Now what a research team did was they got their hands

60
00:02:45,494 --> 00:02:46,914
on what's called an ICD.

61
00:02:46,914 --> 00:02:48,984
This is a defibrillator, and this is a device

62
00:02:48,984 --> 00:02:53,320
that goes into a person to control their heart rhythm,

63
00:02:53,320 --> 00:02:55,658
and these have saved many lives.

64
00:02:55,658 --> 00:02:58,130
Well, in order to not have to open up the person

65
00:02:58,130 --> 00:03:00,324
every time you want to reprogram their device

66
00:03:00,324 --> 00:03:02,779
or do some diagnostics on it, they made the thing be able

67
00:03:02,779 --> 00:03:05,881
to communicate wirelessly, and what this research team did

68
00:03:05,881 --> 00:03:08,491
is they reverse engineered the wireless protocol,

69
00:03:08,491 --> 00:03:10,363
and they built the device you see pictured here,

70
00:03:10,363 --> 00:03:13,123
with a little antenna, that could talk the protocol

71
00:03:13,123 --> 00:03:17,598
to the device, and thus control it.

72
00:03:17,598 --> 00:03:20,287
In order to make their experience real -- they were unable

73
00:03:20,287 --> 00:03:22,759
to find any volunteers, and so they went

74
00:03:22,759 --> 00:03:24,903
and they got some ground beef and some bacon

75
00:03:24,903 --> 00:03:26,691
and they wrapped it all up to about the size

76
00:03:26,691 --> 00:03:29,489
of a human being's area where the device would go,

77
00:03:29,489 --> 00:03:30,943
and they stuck the device inside it

78
00:03:30,943 --> 00:03:34,075
to perform their experiment somewhat realistically.

79
00:03:34,075 --> 00:03:37,095
They launched many, many successful attacks.

80
00:03:37,095 --> 00:03:40,151
One that I'll highlight here is changing the patient's name.

81
00:03:40,151 --> 00:03:41,144
I don't know why you would want to do that,

82
00:03:41,144 --> 00:03:43,248
but I sure wouldn't want that done to me.

83
00:03:43,248 --> 00:03:45,579
And they were able to change therapies,

84
00:03:45,579 --> 00:03:48,074
including disabling the device -- and this is with a real,

85
00:03:48,074 --> 00:03:49,970
commercial, off-the-shelf device --

86
00:03:49,970 --> 00:03:52,016
simply by performing reverse engineering and sending

87
00:03:52,016 --> 00:03:55,005
wireless signals to it.

88
00:03:55,005 --> 00:03:58,585
There was a piece on NPR that some of these ICDs

89
00:03:58,585 --> 00:04:01,007
could actually have their performance disrupted

90
00:04:01,007 --> 00:04:04,658
simply by holding a pair of headphones onto them.

91
00:04:04,658 --> 00:04:06,067
Now, wireless and the Internet

92
00:04:06,067 --> 00:04:07,719
can improve health care greatly.

93
00:04:07,719 --> 00:04:09,806
There's several examples up on the screen

94
00:04:09,806 --> 00:04:12,913
of situations where doctors are looking to implant devices

95
00:04:12,913 --> 00:04:15,778
inside of people, and all of these devices now,

96
00:04:15,778 --> 00:04:18,903
it's standard that they communicate wirelessly,

97
00:04:18,903 --> 00:04:20,315
and I think this is great,

98
00:04:20,315 --> 00:04:23,420
but without a full understanding of trustworthy computing,

99
00:04:23,420 --> 00:04:25,827
and without understanding what attackers can do

100
00:04:25,827 --> 00:04:27,974
and the security risks from the beginning,

101
00:04:27,974 --> 00:04:30,364
there's a lot of danger in this.

102
00:04:30,364 --> 00:04:31,841
Okay, let me shift gears and show you another target.

103
00:04:31,841 --> 00:04:33,929
I'm going to show you a few different targets like this,

104
00:04:33,929 --> 00:04:36,846
and that's my talk. So we'll look at automobiles.

105
00:04:36,846 --> 00:04:39,742
This is a car, and it has a lot of components,

106
00:04:39,742 --> 00:04:41,362
a lot of electronics in it today.

107
00:04:41,362 --> 00:04:45,739
In fact, it's got many, many different computers inside of it,

108
00:04:45,739 --> 00:04:48,894
more Pentiums than my lab did when I was in college,

109
00:04:48,894 --> 00:04:52,533
and they're connected by a wired network.

110
00:04:52,533 --> 00:04:55,964
There's also a wireless network in the car,

111
00:04:55,964 --> 00:04:59,197
which can be reached from many different ways.

112
00:04:59,197 --> 00:05:02,898
So there's Bluetooth, there's the FM and XM radio,

113
00:05:02,898 --> 00:05:05,718
there's actually wi-fi, there's sensors in the wheels

114
00:05:05,718 --> 00:05:07,871
that wirelessly communicate the tire pressure

115
00:05:07,871 --> 00:05:09,677
to a controller on board.

116
00:05:09,677 --> 00:05:14,595
The modern car is a sophisticated multi-computer device.

117
00:05:14,595 --> 00:05:17,917
And what happens if somebody wanted to attack this?

118
00:05:17,917 --> 00:05:19,234
Well, that's what the researchers

119
00:05:19,234 --> 00:05:21,105
that I'm going to talk about today did.

120
00:05:21,105 --> 00:05:24,082
They basically stuck an attacker on the wired network

121
00:05:24,082 --> 00:05:26,404
and on the wireless network.

122
00:05:26,404 --> 00:05:29,103
Now, they have two areas they can attack.

123
00:05:29,103 --> 00:05:31,141
One is short-range wireless, where you can actually

124
00:05:31,141 --> 00:05:32,922
communicate with the device from nearby,

125
00:05:32,922 --> 00:05:35,059
either through Bluetooth or wi-fi,

126
00:05:35,059 --> 00:05:37,233
and the other is long-range, where you can communicate

127
00:05:37,233 --> 00:05:39,015
with the car through the cellular network,

128
00:05:39,015 --> 00:05:40,975
or through one of the radio stations.

129
00:05:40,975 --> 00:05:44,024
Think about it. When a car receives a radio signal,

130
00:05:44,024 --> 00:05:46,225
it's processed by software.

131
00:05:46,225 --> 00:05:49,286
That software has to receive and decode the radio signal,

132
00:05:49,286 --> 00:05:50,405
and then figure out what to do with it,

133
00:05:50,405 --> 00:05:53,429
even if it's just music that it needs to play on the radio,

134
00:05:53,429 --> 00:05:55,697
and that software that does that decoding,

135
00:05:55,697 --> 00:05:58,790
if it has any bugs in it, could create a vulnerability

136
00:05:58,790 --> 00:06:01,825
for somebody to hack the car.

137
00:06:01,825 --> 00:06:04,777
The way that the researchers did this work is,

138
00:06:04,777 --> 00:06:09,000
they read the software in the computer chips

139
00:06:09,000 --> 00:06:12,193
that were in the car, and then they used sophisticated

140
00:06:12,193 --> 00:06:13,607
reverse engineering tools

141
00:06:13,607 --> 00:06:15,662
to figure out what that software did,

142
00:06:15,662 --> 00:06:18,703
and then they found vulnerabilities in that software,

143
00:06:18,703 --> 00:06:22,049
and then they built exploits to exploit those.

144
00:06:22,049 --> 00:06:24,431
They actually carried out their attack in real life.

145
00:06:24,431 --> 00:06:25,781
They bought two cars, and I guess

146
00:06:25,781 --> 00:06:28,699
they have better budgets than I do.

147
00:06:28,699 --> 00:06:31,289
The first threat model was to see what someone could do

148
00:06:31,289 --> 00:06:33,433
if an attacker actually got access

149
00:06:33,433 --> 00:06:35,486
to the internal network on the car.

150
00:06:35,486 --> 00:06:38,089
Okay, so think of that as, someone gets to go to your car,

151
00:06:38,089 --> 00:06:40,993
they get to mess around with it, and then they leave,

152
00:06:40,993 --> 00:06:43,361
and now, what kind of trouble are you in?

153
00:06:43,361 --> 00:06:46,153
The other threat model is that they contact you

154
00:06:46,153 --> 00:06:48,610
in real time over one of the wireless networks

155
00:06:48,610 --> 00:06:50,665
like the cellular, or something like that,

156
00:06:50,665 --> 00:06:54,665
never having actually gotten physical access to your car.

157
00:06:54,665 --> 00:06:57,489
This is what their setup looks like for the first model,

158
00:06:57,489 --> 00:06:59,172
where you get to have access to the car.

159
00:06:59,172 --> 00:07:02,559
They put a laptop, and they connected to the diagnostic unit

160
00:07:02,559 --> 00:07:05,498
on the in-car network, and they did all kinds of silly things,

161
00:07:05,498 --> 00:07:08,281
like here's a picture of the speedometer

162
00:07:08,281 --> 00:07:11,097
showing 140 miles an hour when the car's in park.

163
00:07:11,097 --> 00:07:13,470
Once you have control of the car's computers,

164
00:07:13,470 --> 00:07:14,389
you can do anything.

165
00:07:14,389 --> 00:07:16,005
Now you might say, "Okay, that's silly."

166
00:07:16,005 --> 00:07:17,664
Well, what if you make the car always say

167
00:07:17,664 --> 00:07:20,405
it's going 20 miles an hour slower than it's actually going?

168
00:07:20,405 --> 00:07:22,947
You might produce a lot of speeding tickets.

169
00:07:22,947 --> 00:07:26,803
Then they went out to an abandoned airstrip with two cars,

170
00:07:26,803 --> 00:07:29,548
the target victim car and the chase car,

171
00:07:29,548 --> 00:07:32,294
and they launched a bunch of other attacks.

172
00:07:32,294 --> 00:07:35,060
One of the things they were able to do from the chase car

173
00:07:35,060 --> 00:07:37,034
is apply the brakes on the other car,

174
00:07:37,034 --> 00:07:38,594
simply by hacking the computer.

175
00:07:38,594 --> 00:07:41,025
They were able to disable the brakes.

176
00:07:41,025 --> 00:07:44,203
They also were able to install malware that wouldn't kick in

177
00:07:44,203 --> 00:07:46,628
and wouldn't trigger until the car was doing something like

178
00:07:46,628 --> 00:07:50,374
going over 20 miles an hour, or something like that.

179
00:07:50,374 --> 00:07:53,132
The results are astonishing, and when they gave this talk,

180
00:07:53,132 --> 00:07:54,848
even though they gave this talk at a conference

181
00:07:54,848 --> 00:07:56,574
to a bunch of computer security researchers,

182
00:07:56,574 --> 00:07:58,274
everybody was gasping.

183
00:07:58,274 --> 00:08:01,973
They were able to take over a bunch of critical computers

184
00:08:01,973 --> 00:08:05,734
inside the car: the brakes computer, the lighting computer,

185
00:08:05,734 --> 00:08:08,561
the engine, the dash, the radio, etc.,

186
00:08:08,561 --> 00:08:10,854
and they were able to perform these on real commercial

187
00:08:10,854 --> 00:08:13,881
cars that they purchased using the radio network.

188
00:08:13,881 --> 00:08:16,884
They were able to compromise every single one of the

189
00:08:16,884 --> 00:08:19,350
pieces of software that controlled every single one

190
00:08:19,350 --> 00:08:22,365
of the wireless capabilities of the car.

191
00:08:22,365 --> 00:08:24,878
All of these were implemented successfully.

192
00:08:24,878 --> 00:08:27,230
How would you steal a car in this model?

193
00:08:27,230 --> 00:08:30,910
Well, you compromise the car by a buffer overflow

194
00:08:30,910 --> 00:08:33,437
of vulnerability in the software, something like that.

195
00:08:33,437 --> 00:08:35,640
You use the GPS in the car to locate it.

196
00:08:35,640 --> 00:08:37,835
You remotely unlock the doors through the computer

197
00:08:37,835 --> 00:08:40,973
that controls that, start the engine, bypass anti-theft,

198
00:08:40,973 --> 00:08:42,641
and you've got yourself a car.

199
00:08:42,641 --> 00:08:45,128
Surveillance was really interesting.

200
00:08:45,128 --> 00:08:48,337
The authors of the study have a video where they show

201
00:08:48,337 --> 00:08:50,886
themselves taking over a car and then turning on

202
00:08:50,886 --> 00:08:53,647
the microphone in the car, and listening in on the car

203
00:08:53,647 --> 00:08:56,998
while tracking it via GPS on a map,

204
00:08:56,998 --> 00:08:58,711
and so that's something that the drivers of the car

205
00:08:58,711 --> 00:09:00,879
would never know was happening.

206
00:09:00,879 --> 00:09:03,013
Am I scaring you yet?

207
00:09:03,013 --> 00:09:04,956
I've got a few more of these interesting ones.

208
00:09:04,956 --> 00:09:06,789
These are ones where I went to a conference,

209
00:09:06,789 --> 00:09:08,722
and my mind was just blown, and I said,

210
00:09:08,722 --> 00:09:10,548
"I have to share this with other people."

211
00:09:10,548 --> 00:09:12,171
This was Fabian Monrose's lab

212
00:09:12,171 --> 00:09:15,627
at the University of North Carolina, and what they did was

213
00:09:15,627 --> 00:09:17,702
something intuitive once you see it,

214
00:09:17,702 --> 00:09:19,416
but kind of surprising.

215
00:09:19,416 --> 00:09:21,675
They videotaped people on a bus,

216
00:09:21,675 --> 00:09:24,515
and then they post-processed the video.

217
00:09:24,515 --> 00:09:26,978
What you see here in number one is a

218
00:09:26,978 --> 00:09:31,361
reflection in somebody's glasses of the smartphone

219
00:09:31,361 --> 00:09:32,786
that they're typing in.

220
00:09:32,786 --> 00:09:34,761
They wrote software to stabilize --

221
00:09:34,761 --> 00:09:36,126
even though they were on a bus

222
00:09:36,126 --> 00:09:39,337
and maybe someone's holding their phone at an angle --

223
00:09:39,337 --> 00:09:41,707
to stabilize the phone, process it, and

224
00:09:41,707 --> 00:09:43,592
you may know on your smartphone, when you type

225
00:09:43,592 --> 00:09:46,531
a password, the keys pop out a little bit, and they were able

226
00:09:46,531 --> 00:09:49,371
to use that to reconstruct what the person was typing,

227
00:09:49,371 --> 00:09:53,692
and had a language model for detecting typing.

228
00:09:53,692 --> 00:09:56,027
What was interesting is, by videotaping on a bus,

229
00:09:56,027 --> 00:09:58,156
they were able to produce exactly what people

230
00:09:58,156 --> 00:10:00,307
on their smartphones were typing,

231
00:10:00,307 --> 00:10:02,567
and then they had a surprising result, which is that

232
00:10:02,567 --> 00:10:05,331
their software had not only done it for their target,

233
00:10:05,331 --> 00:10:06,734
but other people who accidentally happened

234
00:10:06,734 --> 00:10:08,820
to be in the picture, they were able to produce

235
00:10:08,820 --> 00:10:11,547
what those people had been typing, and that was kind of

236
00:10:11,547 --> 00:10:15,164
an accidental artifact of what their software was doing.

237
00:10:15,164 --> 00:10:19,467
I'll show you two more. One is P25 radios.

238
00:10:19,467 --> 00:10:22,267
P25 radios are used by law enforcement

239
00:10:22,267 --> 00:10:25,674
and all kinds of government agencies

240
00:10:25,674 --> 00:10:27,410
and people in combat to communicate,

241
00:10:27,410 --> 00:10:30,243
and there's an encryption option on these phones.

242
00:10:30,243 --> 00:10:32,971
This is what the phone looks like. It's not really a phone.

243
00:10:32,971 --> 00:10:34,177
It's more of a two-way radio.

244
00:10:34,177 --> 00:10:37,499
Motorola makes the most widely used one, and you can see

245
00:10:37,499 --> 00:10:40,148
that they're used by Secret Service, they're used in combat,

246
00:10:40,148 --> 00:10:43,250
it's a very, very common standard in the U.S. and elsewhere.

247
00:10:43,250 --> 00:10:45,555
So one question the researchers asked themselves is,

248
00:10:45,555 --> 00:10:48,259
could you block this thing, right?

249
00:10:48,259 --> 00:10:49,842
Could you run a denial-of-service,

250
00:10:49,842 --> 00:10:51,666
because these are first responders?

251
00:10:51,666 --> 00:10:53,467
So, would a terrorist organization want to black out the

252
00:10:53,467 --> 00:10:57,955
ability of police and fire to communicate at an emergency?

253
00:10:57,955 --> 00:11:01,027
They found that there's this GirlTech device used for texting

254
00:11:01,027 --> 00:11:03,745
that happens to operate at the same exact frequency

255
00:11:03,745 --> 00:11:06,016
as the P25, and they built what they called

256
00:11:06,016 --> 00:11:10,350
My First Jammer. (Laughter)

257
00:11:10,350 --> 00:11:12,728
If you look closely at this device,

258
00:11:12,728 --> 00:11:16,358
it's got a switch for encryption or cleartext.

259
00:11:16,358 --> 00:11:19,408
Let me advance the slide, and now I'll go back.

260
00:11:19,408 --> 00:11:21,955
You see the difference?

261
00:11:21,955 --> 00:11:24,512
This is plain text. This is encrypted.

262
00:11:24,512 --> 00:11:27,069
There's one little dot that shows up on the screen,

263
00:11:27,069 --> 00:11:29,154
and one little tiny turn of the switch.

264
00:11:29,154 --> 00:11:31,058
And so the researchers asked themselves, "I wonder how

265
00:11:31,058 --> 00:11:35,315
many times very secure, important, sensitive conversations

266
00:11:35,315 --> 00:11:36,938
are happening on these two-way radios where they forget

267
00:11:36,938 --> 00:11:39,848
to encrypt and they don't notice that they didn't encrypt?"

268
00:11:39,848 --> 00:11:43,187
So they bought a scanner. These are perfectly legal

269
00:11:43,187 --> 00:11:46,645
and they run at the frequency of the P25,

270
00:11:46,645 --> 00:11:48,412
and what they did is they hopped around frequencies

271
00:11:48,412 --> 00:11:50,922
and they wrote software to listen in.

272
00:11:50,922 --> 00:11:53,556
If they found encrypted communication, they stayed

273
00:11:53,556 --> 00:11:55,242
on that channel and they wrote down, that's a channel

274
00:11:55,242 --> 00:11:57,030
that these people communicate in,

275
00:11:57,030 --> 00:11:58,652
these law enforcement agencies,

276
00:11:58,652 --> 00:12:02,043
and they went to 20 metropolitan areas and listened in

277
00:12:02,043 --> 00:12:05,518
on conversations that were happening at those frequencies.

278
00:12:05,518 --> 00:12:08,757
They found that in every metropolitan area,

279
00:12:08,757 --> 00:12:10,911
they would capture over 20 minutes a day

280
00:12:10,911 --> 00:12:13,286
of cleartext communication.

281
00:12:13,286 --> 00:12:15,286
And what kind of things were people talking about?

282
00:12:15,286 --> 00:12:16,770
Well, they found the names and information

283
00:12:16,770 --> 00:12:19,622
about confidential informants. They found information

284
00:12:19,622 --> 00:12:21,824
that was being recorded in wiretaps,

285
00:12:21,824 --> 00:12:24,534
a bunch of crimes that were being discussed,

286
00:12:24,534 --> 00:12:25,696
sensitive information.

287
00:12:25,696 --> 00:12:29,059
It was mostly law enforcement and criminal.

288
00:12:29,059 --> 00:12:30,893
They went and reported this to the law enforcement

289
00:12:30,893 --> 00:12:32,916
agencies, after anonymizing it,

290
00:12:32,916 --> 00:12:35,916
and the vulnerability here is simply the user interface

291
00:12:35,916 --> 00:12:37,310
wasn't good enough. If you're talking

292
00:12:37,310 --> 00:12:40,126
about something really secure and sensitive, it should

293
00:12:40,126 --> 00:12:43,419
be really clear to you that this conversation is encrypted.

294
00:12:43,419 --> 00:12:45,305
That one's pretty easy to fix.

295
00:12:45,305 --> 00:12:46,974
The last one I thought was really, really cool,

296
00:12:46,974 --> 00:12:49,787
and I just had to show it to you, it's probably not something

297
00:12:49,787 --> 00:12:50,792
that you're going to lose sleep over

298
00:12:50,792 --> 00:12:52,583
like the cars or the defibrillators,

299
00:12:52,583 --> 00:12:55,606
but it's stealing keystrokes.

300
00:12:55,606 --> 00:12:58,353
Now, we've all looked at smartphones upside down.

301
00:12:58,353 --> 00:13:00,543
Every security expert wants to hack a smartphone,

302
00:13:00,543 --> 00:13:05,155
and we tend to look at the USB port, the GPS for tracking,

303
00:13:05,155 --> 00:13:08,363
the camera, the microphone, but no one up till this point

304
00:13:08,363 --> 00:13:09,943
had looked at the accelerometer.

305
00:13:09,943 --> 00:13:11,590
The accelerometer is the thing that determines

306
00:13:11,590 --> 00:13:15,084
the vertical orientation of the smartphone.

307
00:13:15,084 --> 00:13:16,501
And so they had a simple setup.

308
00:13:16,501 --> 00:13:19,259
They put a smartphone next to a keyboard,

309
00:13:19,259 --> 00:13:21,971
and they had people type, and then their goal was

310
00:13:21,971 --> 00:13:24,827
to use the vibrations that were created by typing

311
00:13:24,827 --> 00:13:29,067
to measure the change in the accelerometer reading

312
00:13:29,067 --> 00:13:32,243
to determine what the person had been typing.

313
00:13:32,243 --> 00:13:34,819
Now, when they tried this on an iPhone 3GS,

314
00:13:34,819 --> 00:13:37,588
this is a graph of the perturbations that were created

315
00:13:37,588 --> 00:13:40,829
by the typing, and you can see that it's very difficult

316
00:13:40,829 --> 00:13:43,907
to tell when somebody was typing or what they were typing,

317
00:13:43,907 --> 00:13:46,997
but the iPhone 4 greatly improved the accelerometer,

318
00:13:46,997 --> 00:13:50,477
and so the same measurement

319
00:13:50,477 --> 00:13:52,309
produced this graph.

320
00:13:52,309 --> 00:13:54,795
Now that gave you a lot of information while someone

321
00:13:54,795 --> 00:13:58,036
was typing, and what they did then is used advanced

322
00:13:58,036 --> 00:14:01,043
artificial intelligence techniques called machine learning

323
00:14:01,043 --> 00:14:02,474
to have a training phase,

324
00:14:02,474 --> 00:14:04,710
and so they got most likely grad students

325
00:14:04,710 --> 00:14:08,499
to type in a whole lot of things, and to learn,

326
00:14:08,499 --> 00:14:11,267
to have the system use the machine learning tools that

327
00:14:11,267 --> 00:14:14,130
were available to learn what it is that the people were typing

328
00:14:14,130 --> 00:14:16,957
and to match that up

329
00:14:16,957 --> 00:14:19,434
with the measurements in the accelerometer.

330
00:14:19,434 --> 00:14:21,069
And then there's the attack phase, where you get

331
00:14:21,069 --> 00:14:23,880
somebody to type something in, you don't know what it was,

332
00:14:23,880 --> 00:14:25,177
but you use your model that you created

333
00:14:25,177 --> 00:14:28,619
in the training phase to figure out what they were typing.

334
00:14:28,619 --> 00:14:32,103
They had pretty good success. This is an article from the USA Today.

335
00:14:32,103 --> 00:14:34,712
They typed in, "The Illinois Supreme Court has ruled

336
00:14:34,712 --> 00:14:37,674
that Rahm Emanuel is eligible to run for Mayor of Chicago"

337
00:14:37,674 --> 00:14:39,028
— see, I tied it in to the last talk —

338
00:14:39,028 --> 00:14:41,146
"and ordered him to stay on the ballot."

339
00:14:41,146 --> 00:14:43,917
Now, the system is interesting, because it produced

340
00:14:43,917 --> 00:14:46,803
"Illinois Supreme" and then it wasn't sure.

341
00:14:46,803 --> 00:14:48,753
The model produced a bunch of options,

342
00:14:48,753 --> 00:14:51,462
and this is the beauty of some of the A.I. techniques,

343
00:14:51,462 --> 00:14:53,712
is that computers are good at some things,

344
00:14:53,712 --> 00:14:55,246
humans are good at other things,

345
00:14:55,246 --> 00:14:57,177
take the best of both and let the humans solve this one.

346
00:14:57,177 --> 00:14:58,559
Don't waste computer cycles.

347
00:14:58,559 --> 00:15:00,695
A human's not going to think it's the Supreme might.

348
00:15:00,695 --> 00:15:02,435
It's the Supreme Court, right?

349
00:15:02,435 --> 00:15:04,965
And so, together we're able to reproduce typing

350
00:15:04,965 --> 00:15:07,914
simply by measuring the accelerometer.

351
00:15:07,914 --> 00:15:11,416
Why does this matter? Well, in the Android platform,

352
00:15:11,416 --> 00:15:15,549
for example, the developers have a manifest

353
00:15:15,564 --> 00:15:18,148
where every device on there, the microphone, etc.,

354
00:15:18,148 --> 00:15:20,104
has to register if you're going to use it

355
00:15:20,104 --> 00:15:22,420
so that hackers can't take over it,

356
00:15:22,420 --> 00:15:25,528
but nobody controls the accelerometer.

357
00:15:25,528 --> 00:15:27,744
So what's the point? You can leave your iPhone next to

358
00:15:27,744 --> 00:15:29,850
someone's keyboard, and just leave the room,

359
00:15:29,850 --> 00:15:31,489
and then later recover what they did,

360
00:15:31,489 --> 00:15:33,200
even without using the microphone.

361
00:15:33,200 --> 00:15:35,374
If someone is able to put malware on your iPhone,

362
00:15:35,374 --> 00:15:38,222
they could then maybe get the typing that you do

363
00:15:38,222 --> 00:15:40,543
whenever you put your iPhone next to your keyboard.

364
00:15:40,543 --> 00:15:42,814
There's several other notable attacks that unfortunately

365
00:15:42,814 --> 00:15:44,945
I don't have time to go into, but the one that I wanted

366
00:15:44,945 --> 00:15:47,222
to point out was a group from the University of Michigan

367
00:15:47,222 --> 00:15:49,663
which was able to take voting machines,

368
00:15:49,663 --> 00:15:52,161
the Sequoia AVC Edge DREs that

369
00:15:52,161 --> 00:15:53,716
were going to be used in New Jersey in the election

370
00:15:53,716 --> 00:15:55,877
that were left in a hallway, and put Pac-Man on it.

371
00:15:55,877 --> 00:15:59,500
So they ran the Pac-Man game.

372
00:15:59,500 --> 00:16:01,247
What does this all mean?

373
00:16:01,247 --> 00:16:04,894
Well, I think that society tends to adopt technology

374
00:16:04,894 --> 00:16:07,718
really quickly. I love the next coolest gadget.

375
00:16:07,718 --> 00:16:10,332
But it's very important, and these researchers are showing,

376
00:16:10,332 --> 00:16:11,692
that the developers of these things

377
00:16:11,692 --> 00:16:14,557
need to take security into account from the very beginning,

378
00:16:14,557 --> 00:16:17,342
and need to realize that they may have a threat model,

379
00:16:17,342 --> 00:16:19,804
but the attackers may not be nice enough

380
00:16:19,804 --> 00:16:21,581
to limit themselves to that threat model,

381
00:16:21,581 --> 00:16:24,118
and so you need to think outside of the box.

382
00:16:24,118 --> 00:16:25,696
What we can do is be aware

383
00:16:25,696 --> 00:16:28,175
that devices can be compromised,

384
00:16:28,175 --> 00:16:29,874
and anything that has software in it

385
00:16:29,874 --> 00:16:32,523
is going to be vulnerable. It's going to have bugs.

386
00:16:32,523 --> 00:16:36,020
Thank you very much. (Applause)